k7jto
commented
1 year ago So like... "Lack of protection from threats"? Wouldn't that cover everything?
Closed planetlevel closed 1 year ago
k7jto
commented
1 year ago So like... "Lack of protection from threats"? Wouldn't that cover everything?
planetlevel
commented
1 year ago Sure - something like that. Personally, when I hear the word threats, I think about threat agents -- anonymous agents, nation states, insiders, etc... I think here we are really talking about identifying and preventing attacks. Protecting against threats could be any defense. Here, we are talking specifically about detecting attacks and taking action. So I'd use the word "attacks" instead.
abunuwas
commented
1 year ago From the description, this vulnerability looks focused on business vulnerabilities as opposed to API-specific vulnerabilities. The description says it "involves understanding of the business model" and all the examples are about harming or compromising the business model. Maybe this could be the "Business Logic Flaws" suggested in #90 ?
janibashamd
commented
1 year ago Why is this still open ! I can see the new changes in 2023 edition..
I believe that the lack of attack detection and protection mechanisms is a massive risk. There is absolutely no reason that web applications and web APIs shouldn't be able to detect attacks and respond accordingly. Apps/APIs shouldn't just tolerate attacks. Using parameterized queries, escaping, and sending 400 responses doesn't do anything to increase the burden on an attacker. Most apps/APIs will let an attacker attempt to exploit it forever.
My problem with this item is that it's too narrow. Why limit this to "automated threats." In the first place there's really no way to tell the difference between automated threats and manual attacks. And second, why does it matter? I encourage you to remove the "automated" limitation and expand the scope of this catgory to include all kinds of attacks.